Technical problem with XP SP2 + VC++7 compiled files. (and PE packing)

Hey ho

Thank you for your answers.

To me, sounds more like this new security option.
Can't anything else. any other compiled files run good with a SEH, on SP2.
Except those inside VC++.

while tracing the dispatcher, i went to some routines where i could see:

mov eax, canarystuff.

The canary is used to protect against buffer overflow.. and maybe there is
something related to that , in your exception protection you are detailing.

I will need to dig ..

I tried two other protectors, and they seem to work well, their SEH works.
Fuck me, they are the same code as me.. so it got to be a white list or something.

The same file runs good on XP SP1 btw..
so its really a combination of SP2 and VC++ 7

I don't know about the version of VC++ . is it 7.0 or 7.1 ? i have no clue.
Probably the latest though..

Is this protection documented anywhere ?
I will look thru the msdn..

Thanks

Try to add IMAGE_SCN_MEM_EXECUTE attribute to this additional sections.

For the details download part 3 of the document at http://go.microsoft.com/fwlink/?LinkId=28022.

Just a shot in the dark here, but if you have modified/packed a raw compiled VSNET2003 .exe the PE mods/packing you did could have RUINED the SEH info in the (usually) redundant space in the PE Header. Check that first.

Actually gigaman was right.

After some debugging, i finally figured it was the Load Stuff in the Directory table

Zeroing its size resolved the problem

It was related to Safe Exceptions:

There is a white list of exception handlers. if an exception occurs , the OS checks whether the except handler is in the white list or not, and kill the software if not.. This is to prevent exploitation of buffer overflow and friends, via SEH overwrite.

Thank you all for your tips. and sorry for taking so long to answer

Cheers!